Windows 7 / Security and Privacy

---

Understanding User Account Capabilities, Privileges, and Rights

All user accounts have specific capabilities, privileges, and rights. When you create a user account, you can grant the user specific capabilities by making the user a member of one or more groups. This gives the user the capabilities of these groups. You then assign additional capabilities by making a user a member of the appropriate groups or withdraw capabilities by removing a user from a group.

In Windows Server 2008, some capabilities of accounts are built in. The built-in capabilities of accounts are assigned to groups and include the group's automatic capabilities. Although built-in capabilities are predefined and unchangeable, they can be granted to users by making them members of the appropriate group or delegated by granting the capability specifically, for example, the ability to create, delete, and manage user accounts. This capability is assigned to administrators and account operators. Thus, if a user is a member of the Administrators group, the user can create, delete, and manage user accounts.

Other capabilities of accounts, such as permissions, privileges, and logon rights, can be assigned. The access permissions for accounts define the operations that can be performed on network resources. For example, permissions control whether a user can access a particular shared folder. You can assign access permissions to users, computers, and groups. The privileges of an account grant permissions to perform specific tasks, such as the ability to change the system time. The logon rights of an account grant logon permissions, such as the ability to log on locally to a server.

An important part of an administrator's job is being able to determine and set permissions, privileges, and logon rights as necessary. Although you can't change a group's built-in capabilities, you can change a group's default privileges and logon rights. For example, you could revoke network access to a computer by removing a group's right to access the computer from the network. Table-1 provides an overview of the default privileges assigned to groups. Table-2 provides an overview of the default logon rights assigned to groups.

Table-1 Default Privileges Assigned to Groups

Privilege	Description	Groups Assigned by Default in Domains
Act As Part Of The Operating System	Allows a process to authenticate as any user. Processes that require this privilege must use the LocalSystem account, which already has this privilege.	None
Add Workstations To Domain	Allows users to add new computers to an existing domain.	Authenticated Users
Adjust Memory Quotas For A Process	Allows users to set the maximum amount of memory a process can use.	Administrators, Local Service, and Network Service
Back Up Files And Directories	Allows users to back up the system regardless of the permissions set on files and directories.	Administrators, Backup Operators, and Server Operators
Bypass Traverse Checking	Allows users to go through directory trees even if a user doesn't have permissions to access the directories being passed through. The privilege doesn't allow the user to list directory contents.	Administrators, Authenticated Users, Everyone, Local Service, and Network Service
Change The System Time	Allows users to set the time for the computer's clock.	Administrators, Server Operators, and Local Service
Change The Time Zone	Allows users to set the time zone for the system clock.	Administrators, Server Operators, and Local Service
Create A Pagefile	Allows users to create and modify the paging file size for virtual memory.	Administrators
Create A Token Object	Allows processes to create token objects that can be used to gain access to local resources. Processes that require this privilege must use the LocalSystem account, which already has this privilege.	None
Create Global Objects	Allows a process to create global directory objects. Most components already have this privilege and it's not necessary to specifically assign it.	Administrators, Service, Local Service, and Network Service
Create Permanent Shared Objects	Allows processes to create directory objects in the Windows object manager. Most components already have this privilege and it's not necessary to specifically assign it.	None
Create Symbolic Link	Allows an application that a user is running to create symbolic links. Symbolic links make it appear as if a document or folder is in a specific location when it actually resides in another location. Use of symbolic links is restricted by default to enhance security.	Administrators
Debug Programs	Allows users to perform debugging.	Administrators
Enable User And Computer Accounts To Be Trusted For Delegation	Permits users and computers to change or apply the trusted account for delegation setting, provided they have write access to the object.	Administrators
Force Shutdown Of A Remote System	Allows users to shut down a computer from a remote location on the network.	Administrators and Server Operators
Generate Security Audits	Allows processes to make security log entries for auditing object access.	Local Service and Network Service
Increase A Process Working Set	Allows an application that a user is running to increase the memory that the related process working set uses. A process working set is the set of memory pages currently visible to a process in physical memory. Allowing for increases in memory pages reduces page faults and enhances performance.	Users
Increase Scheduling Priority	Allows processes with write access to a process to increase the scheduling priority assigned to those processes.	Administrators
Load And Unload Device Drivers	Allows users to install and uninstall Plug and Play device drivers. This doesn't affect device drivers that aren't Plug and Play, which can only be installed by administrators.	Administrators and Printer Operators
Lock Pages In Memory	In Windows NT, allowed processes to keep data in physical memory, preventing the system from paging data to virtual memory on disk.	Not used in Windows 2000 or later
Manage Auditing And Security Log	Allows users to specify auditing options and access the security log. You must turn on auditing in the group policy first.	Administrators
Modify An Object Label	Allows a user process to modify the integrity label of objects, such as files, Registry keys, or processes owned by other users. This privilege can be used to lower the priority of other processes. Processes running under a user account can modify the label of any object the user owns without requiring this privilege.	None
Modify Firmware Environment Values	Allows users and processes to modify system environment variables (not user environment variables).	Administrators
Perform Volume Maintenance Tasks	Allows administration of removable storage, disk defragmenter, and disk management.	Administrators
Profile A Single Process	Allows users to monitor the performance of non-system processes.	Administrators on domain controllers; on member servers and workstations, Administrators and Users
Profile System Performance	Allows users to monitor the performance of system processes.	Administrators
Remove Computer From Docking Station	Allows undocking a laptop and removing from network.	Administrators and Users
Replace A Process Level Token	Allows processes to modify the default token for subprocesses.	Local Service and Network Service
Restore Files And Directories	Allows restoring backed-up files and directories, regardless of the permissions set on files and directories.	Administrators, Backup Operators, and Server Operators
Shut Down The System	Allows shutting down the local computer.	Administrators, Backup Operators, Print Operators, and Server Operators
Synchronize irectory Service Data	Allows users to synchronize directory service data on domain controllers.	None
Take Ownership Of Files Or Other Objects	Allows users to take ownership of any Active Directory objects.	Administrators

Table-2 Default Logon Rights Assigned to Groups

Logon Right	Description	Groups Assigned by Default in Domains
Access Credential Manager As A Trusted Caller	Grants permission to establish a trusted connection to Credential Manager. Credentials, such as a user name and password or smart card, provide identifi cation and proof of identifi cation.	None
Access This Computer From The Network	Permits remote access to the computer.	Administrators, Authenticated Users, and Everyone
Allow Logon Locally	Grants permission to log on to the computer interactively at the console.	Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators
Allow Logon Through Terminal Services	Allows access through Terminal Services; necessary for remote assistance and remote desktop.	None
Deny Access To This Computer From The Network	Denies remote access to the computer through network services.	None
Deny Logon As Batch Job	Denies the right to log on through a batch job or script.	None
Deny Logon As Service	Denies the right to log on as a service.	None
Deny Logon Locally	Denies the right to log on to the computer's keyboard.	None
Deny Logon Through Terminal Services	Denies right to log on through Terminal Services.	None
Log On As A Batch Job	Grants permission to log on as a batch job or script.	Administrators, Backup Operators, and Performance Log Users
Log On As A Service	Grants permission to log on as a server. LocalSystem account has this right. Services that run under separate accounts should be assigned this right.	None